Can somone tell what I need to have installed on suse linux machine so that I can maybe monitor an analize some of the traffic on my network. I'm wanting to see if I can determine what is causing so much traffic on the lan at times that it makes things crawl. I know there is some software on the dvd/cd to do this just not sure what it is. If know what it is I do not mind going an reading the man pages to see if i can get it going or a good how-to on the subject either. A good recommendation on a good firewall book / howto would be nice to have also. thanks for any help you list member can give me. jack malone Network Administrator EAST TEXAS LIGHTHOUSE FOR THE BLIND dba HORIZON INDUSTRIES 903-595-3444 http://www.horizonind.com
On 19/08/04 03:17 PM, Jack Malone
Can somone tell what I need to have installed on suse linux machine so that I can maybe monitor an analize some of the traffic on my network. I'm wanting to see if I can determine what is causing so much traffic on the lan at times that it makes things crawl.
Many; tcpdump, ethereal, ntop; nmap can be useful for scanning a network and finding out whats doing what. The list kind of goes on and on, and not all of them are exactly easy to use though.
I know there is some software on the dvd/cd to do this just not sure what it is. If know what it is I do not mind going an reading the man pages to see if i can get it going or a good how-to on the subject either.
On yast2's installation screen you can select to display by package groups, productivity / networking / diagnostic should give you what you need.
A good recommendation on a good firewall book / howto would be nice to have also.
IP-Tables howto for linux firewalls, but not exactly fun unless your into routing tables and redirects. There are a number of specialist distros such as Smoothwall or Astario that have good documentation. Best, Ben
Jack wrote regarding '[SLE] monitor lan traffic' on Thu, Aug 19 at 09:11:
Can somone tell what I need to have installed on suse linux machine so that I can maybe monitor an analize some of the traffic on my network. I'm wanting to see if I can determine what is causing so much traffic on the lan at times that it makes things crawl. I know there is some software on the dvd/cd to do this just not sure what it is. If know what it is I do not mind going an reading the man pages to see if i can get it going or a good how-to on the subject either. A good recommendation on a good firewall book / howto would be nice to have also.
thanks for any help you list member can give me.
Ethereal is the be-all end-all sniffer, IMHO. It'll let you know capture and later analyze traffic, but it's tough to use for real-time monitoring. Etherape is pretty decent for watching what's going on in real-time, but isn't so good for later analysis. If you have SNMP daemons running on most of your machines, mrtg or rrdtool+cacti are nice solutions for graphing the traffic on a per-machine basis, and monitoring lots of other stuff over longer periods of time. Note that the first two programs depend on promiscuous mode beign able to pick up all of the network traffic, so you probably want to be running on a hub that's near to the router. Switched networks can still be sniffed, but it's a bigger pain. --Danny
Quoting Jack Malone
Can somone tell what I need to have installed on suse linux machine so that I can maybe monitor an analize some of the traffic on my network. I'm wanting to see if I can determine what is causing so much traffic on the lan at times that it makes things crawl. I know there is some software on the dvd/cd to do this just not sure what it is. If know what it is I do not mind going an reading the man pages to see if i can get it going or a good how-to on the subject either. A good recommendation on a good firewall book / howto would be nice to have also.
tcpdump - grabs selected network traffic and displays it in semi-intelligible fashion. ethereal - GUI interface to tcpdump. gkrellm - Windowmaker dockapp (works with Blackbox also) to monitor system, including network load (read/write lights plus graph). lsof - lists open files, including network connection, including program that opened it. netstat - lists open network ports including program name. mrtg & RDD - graphs loads, including network. see also: Intro to setting up SuSEfirewall2: http://www.unixreview.com/documents/s=8989/ur0408c/ Monitoring network traffic on Internet connection: http://www.linuxjournal.com/article.php?sid=6985 (If you are trying to monitor an 10/100Base-T network with a switch, it can be difficult to see all traffic.) HTH, Jeffrey
I like Ethereal. Jack Malone wrote:
Can somone tell what I need to have installed on suse linux machine so that I can maybe monitor an analize some of the traffic on my network. I'm wanting to see if I can determine what is causing so much traffic on the lan at times that it makes things crawl. I know there is some software on the dvd/cd to do this just not sure what it is. If know what it is I do not mind going an reading the man pages to see if i can get it going or a good how-to on the subject either. A good recommendation on a good firewall book / howto would be nice to have also.
thanks for any help you list member can give me.
jack malone Network Administrator EAST TEXAS LIGHTHOUSE FOR THE BLIND dba HORIZON INDUSTRIES 903-595-3444 http://www.horizonind.com
Torsdag den 19. august 2004 16:36 skrev Danny Sauer:
Jack wrote regarding '[SLE] monitor lan traffic' on Thu, Aug 19 at 09:11:
Can somone tell what I need to have installed on suse linux machine so that I can maybe monitor an analize some of the traffic on my network. I'm wanting to see if I can determine what is causing so much traffic on the lan at times that it makes things crawl. I know there is some software on the dvd/cd to do this just not sure what it is. If know what it is I do not mind going an reading the man pages to see if i can get it going or a good how-to on the subject either. A good recommendation on a good firewall book / howto would be nice to have also.
thanks for any help you list member can give me.
Ethereal is the be-all end-all sniffer, IMHO. It'll let you know capture and later analyze traffic, but it's tough to use for real-time monitoring. Etherape is pretty decent for watching what's going on in real-time, but isn't so good for later analysis. If you have SNMP daemons running on most of your machines, mrtg or rrdtool+cacti are nice solutions for graphing the traffic on a per-machine basis, and monitoring lots of other stuff over longer periods of time.
Note that the first two programs depend on promiscuous mode beign able to pick up all of the network traffic, so you probably want to be running on a hub that's near to the router. Switched networks can still be sniffed, but it's a bigger pain.
ntop should be considered too. Johan
--Danny
Danny Sauer wrote:
Note that the first two programs depend on promiscuous mode beign able to pick up all of the network traffic, so you probably want to be running on a hub that's near to the router. Switched networks can still be sniffed, but it's a bigger pain.
I have an old 10 Mb hub, between my firewall and cable modem, just for that purpose. You can also buy devices (I forget what they're called) just for that purpose, that can be plugged between a switch and other device, without forcing the connection to half duplex, the way a hub would.
Jeffrey L. Taylor wrote:
Monitoring network traffic on Internet connection: http://www.linuxjournal.com/article.php?sid=6985 (If you are trying to monitor an 10/100Base-T network with a switch, it can be difficult to see all traffic.)
I'm not thrilled about that "receive only" cable. Twisted pair ethernet was intended to have only two devices connected and not designed for collisions occuring on the pair, instead of in a hub. Also, if you' got a full duplex connection, this may cause problems. Better to use a cheap hub.
At 09:53 AM 8/19/2004, James Knott wrote:
Danny Sauer wrote:
Note that the first two programs depend on promiscuous mode beign able to pick up all of the network traffic, so you probably want to be running on a hub that's near to the router. Switched networks can still be sniffed, but it's a bigger pain. Ok thanks for all the suggestions now time to find time for some reading. I see that I will need to put in a hub in the server room close to my netgear router to see what traffic i can see now. I have switches in all my segments here. the low end netgear switches.
again thanks for the info. jack
Quoting James Knott
I have an old 10 Mb hub, between my firewall and cable modem, just for that purpose. You can also buy devices (I forget what they're called) just for that purpose, that can be plugged between a switch and other device, without forcing the connection to half duplex, the way a hub would.
They are called taps. You will need two, one for each direction. They are expensive. A hub with too much bandwidth is generally good enough. E.g. a 10Mbps hub in front of a 3Mbps cable modem isn't much of a bottleneck. Jeffrey
Quoting James Knott
Jeffrey L. Taylor wrote:
Monitoring network traffic on Internet connection: http://www.linuxjournal.com/article.php?sid=6985 (If you are trying to monitor an 10/100Base-T network with a switch, it can be difficult to see all traffic.)
I'm not thrilled about that "receive only" cable. Twisted pair ethernet was intended to have only two devices connected and not designed for collisions occuring on the pair, instead of in a hub. Also, if you' got a full duplex connection, this may cause problems. Better to use a cheap hub.
I'm not clear what you are objecting to. I am using a cheap hub. And I emphatically do not want a full duplex connection. I bought only one IP address from my ISP. In fact, by running a NAT router with a half dozen computers behind it, I am probably violating my AUP. I sure don't want to attract attention by grabbing two IP addresses. Jeffrey
Johan wrote regarding 'Re: [SLE] monitor lan traffic' on Thu, Aug 19 at 09:53:
Torsdag den 19. august 2004 16:36 skrev Danny Sauer:
Jack wrote regarding '[SLE] monitor lan traffic' on Thu, Aug 19 at 09:11:
Can somone tell what I need to have installed on suse linux machine so that I can maybe monitor an analize some of the traffic on my network. [...]
Ethereal is the be-all end-all sniffer, IMHO. It'll let you know capture and later analyze traffic, but it's tough to use for real-time monitoring. Etherape is pretty decent for watching what's going on in real-time, but isn't so good for later analysis. If you have SNMP daemons running on most of your machines, mrtg or rrdtool+cacti are nice solutions for graphing the traffic on a per-machine basis, and monitoring lots of other stuff over longer periods of time. [...]
ntop should be considered too.
Johan
I've had bad luck with runing ntop for any extended period of time on a busy network. Even on small networks, it seems to really grind down if you're storing a history and using the web interface. It's cool for a short term, or if you shut the history thign off and dont' use the web interface though. :) I guess nmap oughtta be in there, too, as well as things like nessus and saint. --Danny
Jeffrey L. Taylor wrote:
I'm not clear what you are objecting to. I am using a cheap hub. And I emphatically do not want a full duplex connection. I bought only one IP address from my ISP. In fact, by running a NAT router with a half dozen computers behind it, I am probably violating my AUP. I sure don't want to attract attention by grabbing two IP addresses.
I guess I misread on the first time through. In another note, quite a while ago, someone provided info on shutting down transmitting some info from an ethernet port, which worked fine with SuSE 9.0, but doesn't seem to be necessary with 9.1. I'll have to dig up the details sometime. I suppose it might also be possible to rig up a Linux box, with 2 NICs, as a bridge and monitor the traffic passing through. Incidentally, many years ago, I used to use data monitors for the old serial current loop circuits, which had dual UARTs, configured to receive only. It was interesting to watch the traffic that way.
On Thursday 19 Aug 2004 15:17, Jack Malone wrote:
Can somone tell what I need to have installed on suse linux machine so that I can maybe monitor an analize some of the traffic on my network. I'm wanting to see if I can determine what is causing so much traffic on the lan at times that it makes things crawl. I know there is some software on the dvd/cd to do this just not sure what it is. If know what it is I do not mind going an reading the man pages to see if i can get it going or a good how-to on the subject either. A good recommendation on a good firewall book / howto would be nice to have also.
thanks for any help you list member can give me.
jack malone Network Administrator EAST TEXAS LIGHTHOUSE FOR THE BLIND dba HORIZON INDUSTRIES 903-595-3444 http://www.horizonind.com If you want total no nonsense identifiction of of the source of high packet counts then you aint going to do much better than using a little util called Tvark it's quick simple is graphical gives you a display of links IP to IP so allows you to see the culprit of large numbers of packets .
I used it recently to identify the location on an network spreadout over several branches of a business that is all linked via ADSL it worked a treat soon found the darn windBlows machine that was causing total havoc on the network trying to act as a DNS and spread it's load around Ha stopped dead . Pete . -- Linux user No: 256242 Machine No: 139931 G6NJR Pete also MSA registered "Quinton 11" A Linux Only area Happy bug hunting M$ clan PGN
On 19.08.04,09:17, Jack Malone wrote:
Can somone tell what I need to have installed on suse linux machine so that I can maybe monitor an analize some of the traffic on my network. I'm wanting to see if I can determine what is causing so much traffic on the lan at times that it makes things crawl. I know there is some software on the dvd/cd to do this just not sure what it is. If know what it is I do not mind going an reading the man pages to see if i can get it going or a good how-to on the subject either. A good recommendation on a good firewall book / howto would be nice to have also.
thanks for any help you list member can give me.
All the tools you need for monitoring and security are here:
http://www.insecure.org/tools.html
And then a book with the cover to match too:
http://www.amazon.com/exec/obidos/tg/detail/-/0072254971/qid=1092939544/sr=1-27/ref=sr_1_27/104-5028218-7148746?v=glance&s=books
- Jostein
--
Jostein Berntsen
participants (8)
-
Ben Higginbottom
-
Danny Sauer
-
Jack Malone
-
James Knott
-
Jeffrey L. Taylor
-
Johan Nielsen
-
Jostein Berntsen
-
peter Nikolic